CVE-2026-11482: SQL Injection in SourceCodester Class and Exam Timetabling System 1.0
A SQL injection vulnerability has been discovered in SourceCodester Class and Exam Timetabling System version 1.0. An attacker can manipulate the 'sy' parameter in the /archive5.php file to inject malicious SQL commands, potentially accessing, modifying, or deleting sensitive database records. The vulnerability requires no authentication and can be exploited over the network. Public exploit code is available, increasing the risk of active exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /archive5.php. The manipulation of the argument sy leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11482 is a SQL injection vulnerability affecting SourceCodester Class and Exam Timetabling System 1.0. The flaw exists in /archive5.php where user-controlled input from the 'sy' argument is processed without proper sanitization or parameterization before being used in SQL queries. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (SQL Injection). With a CVSS 3.1 score of 7.3 (HIGH), it has a network attack vector, requires no privileges or user interaction, and grants attackers read, write, and delete capabilities on the underlying database.
Business impact
SQL injection vulnerabilities in educational administration systems pose significant operational and data protection risks. Attackers could compromise student records, grades, exam schedules, and institutional data. For organizations relying on this timetabling system, exploitation could disrupt academic schedules, expose personally identifiable information of students and staff, trigger compliance violations (e.g., FERPA, GDPR), and damage institutional reputation. The public availability of exploit code substantially increases the likelihood of opportunistic attacks.
Affected systems
SourceCodester Class and Exam Timetabling System version 1.0 is affected. Organizations running this application should immediately inventory all deployments, particularly those hosting student or staff records. The vulnerability does not appear limited to a specific database backend, as SQL injection generically impacts SQL-based systems.
Exploitability
This vulnerability is highly exploitable. The attack requires no authentication, no user interaction, and can be performed remotely by simply crafting a malicious HTTP request to /archive5.php with a modified 'sy' parameter. Public exploit code availability means threat actors have ready-made tools for deployment. The low attack complexity (AC:L) and lack of prerequisites make this a prime target for both targeted campaigns and opportunistic scanning.
Remediation
Immediate action is required. Organizations should disable or restrict access to the Class and Exam Timetabling System until a vendor patch is applied. Verify with SourceCodester whether a patched version is available; if no patch exists, consider alternative timetabling solutions. As a temporary measure, implement network-level access controls to limit exposure of the application to trusted networks only. Conduct a database audit to detect unauthorized access or data modification post-disclosure.
Patch guidance
Contact SourceCodester directly or monitor their security advisories for a patched version of Class and Exam Timetabling System. Verify patch availability before deploying; if the vendor does not provide a timely update, prioritize migration to an alternative, actively maintained timetabling platform. Test any patch in a non-production environment before rolling out organization-wide.
Detection guidance
Monitor web server logs for requests to /archive5.php containing suspicious characters in the 'sy' parameter (e.g., quotes, dashes, SQL keywords like UNION, SELECT, OR). Deploy a Web Application Firewall (WAF) with SQL injection detection rules to block or flag payloads. Conduct database query logging and review for anomalous or unauthorized queries. Alert on any access to the application from external networks if it should only be accessed internally.
Why prioritize this
This vulnerability merits urgent prioritization due to the combination of high CVSS score (7.3), public exploit availability, remote network exploitability without authentication, and the sensitive nature of data typically stored in educational administration systems. The absence of KEV designation does not diminish the risk; public exploits and the straightforward attack mechanism mean active exploitation is likely.
Risk score, explained
The CVSS 3.1 score of 7.3 reflects the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), lack of required privileges (PR:N), and no user interaction requirement (UI:N). The score indicates low confidentiality, integrity, and availability impact (C:L/I:L/A:L) because an attacker gains database access but the scope is limited to that single application's data store. The HIGH severity rating is appropriate given the real-world risk of data theft and manipulation in an educational context.
Frequently asked questions
Is SourceCodester Class and Exam Timetabling System actively maintained?
That information is not specified in the vulnerability record. Contact the vendor directly to determine maintenance status and timeline for a security patch. If the product is no longer maintained, prioritize migration to an alternative solution.
Can this vulnerability be exploited without network access to the application?
No. The vulnerability requires network-level access to the affected /archive5.php endpoint. However, if the application is internet-facing or accessible from untrusted networks, the barrier to exploitation is minimal.
What data is at risk if this vulnerability is exploited?
Any data stored in the underlying database is at risk, including student records, grades, exam schedules, staff information, and any other data the application manages. Attackers can read, modify, or delete records depending on database permissions.
Why is this vulnerability prioritized despite not being on the CISA KEV list?
Public exploit availability and ease of exploitation make this a practical threat regardless of KEV status. KEV listing indicates federal agencies' active awareness, but absence from the list does not mean the vulnerability is low-risk, especially in sensitive sectors like education.
This analysis is based on publicly disclosed information as of the modification date (2026-06-17). Verify all remediation steps against official vendor advisories and your organization's security policy. No guarantee is provided regarding the completeness or applicability of this guidance to your specific environment. Test all patches and mitigations in non-production systems before deployment. For the latest updates and vendor-specific guidance, consult SourceCodester's official security advisories. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login